separate build from publish job for handling security issues linked t…

…o permission write
Epiconcept-Paris · Jun 21, 2024 · ed8eee7 · ed8eee7
1 parent cdb4f58
commit ed8eee7
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 18 deletions.
diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
@@ -5,14 +5,9 @@ on:
       types: [prereleased]
 
 jobs:
-  prerelease:
-    name: Publish prerelease to TestPyPI
+  build-prerelease:
+    name: Build package for TestPyPI
     runs-on: ubuntu-latest
-    environment:
-      name: prerelease
-      url: https://test.pypi.org/p/deidcm
-    permissions:
-        id-token: write
     steps:
     - name: Checkout Repository
       uses: actions/checkout@v4
@@ -24,7 +19,31 @@ jobs:
       run: |
         python -m pip install --upgrade pip build
         python -m build
+    # the following step is used to pass data to publish-test-pypi job
+    # Artifacts can be used for this purpose between jobs of a same workflow run
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@v4
+      with:
+          name: prerelease-package-distributions
+          path: dist/
+
+  publish-test-pypi:
+    name: Publish prerelease to TestPyPI
+    needs:
+      - build-prerelease
+    runs-on: ubuntu-latest
+    environment:
+      name: prerelease
+      url: https://test.pypi.org/p/deidcm
+    permissions:
+        id-token: write
+    steps:
+    - name: Download the dists
+      uses: actions/download-artifact@v4
+      with:
+          name: prerelease-package-distributions
+          path: dist/
     - name: Publish to TestPyPi
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        repository-url: https://test.pypi.org/legacy/
+        repository-url: https://test.pypi.org/legacy/
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,24 +5,43 @@ on:
     types: [released]
 
 jobs:
-  rlease:
+  build-release:
+    name: Build package for PyPI
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: "3.x"
+    - name: Build Package
+      run: |
+        python -m pip install --upgrade pip build
+        python -m build
+    # the following step is used to pass data to publish-test-pypi job
+    # Artifacts can be used for this purpose between jobs of a same workflow run
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@v4
+      with:
+          name: release-package-distributions
+          path: dist/
+
+  publish-pypi:
     name: Publish release to PyPI
+    needs:
+      - build-release
     runs-on: ubuntu-latest
     environment:
       name: release
       url: https://pypi.org/p/deidcm
     permissions:
       id-token: write
     steps:
-      - name: Checkout Repository
-        uses: actions/checkout@v4
-      - name: Set up Python
-        uses: actions/setup-python@v5
+      - name: Download the dists
+        uses: actions/download-artifact@v4
         with:
-          python-version: "3.x"
-      - name: Build Package
-        run: |
-          python -m pip install --upgrade pip build
-          python -m build
+            name: release-package-distributions
+            path: dist/
       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1